Den 12 dec 2014 13:41 skrev "Petter Ericson" <<a href="mailto:pettter@acc.umu.se">pettter@acc.umu.se</a>>: > > > > For deniability to have any real world effect, there'd need to be a LOT > > of people forging chat logs pretty routinely. As it's only relevant when > > there's some breakdown in privacy, and that should hopefully be rare in a > > good cryptographic system, getting people to routinely forge or edit logs > > seems .... hard. > > > > It doesn't need to be routine, just frequent enough that nobody assumes > > authencity. > > The point is: it isn't, and frankly I'm highly sceptical it will ever be. > Further, an unauthenticated chat log _is_ potentially more convincing than you > are (see the anakata case for example), and no one stores authenticated chat > logs that I know of. Do you? Relatedly: have you altered chat logs at some > point? Specifically, have you _added_ stuff to a chat log? Do you know of an > instance where this has happened? > > Would a judge, police office, prosecutor or jury have any knowledge about such > a thing having happened? Would they decide that this is likely to have happened > in any specific instance? I see this as a problem of education, not inherently of the technology. There's no reason for anybody to find a text file convincing without knowledge about where it comes from. If they do anyway, facts and explanations should fix that by showing that the blind trust in authencity is unfounded and unjustifiable. Making comparisons to something fairly well known like Photoshop should help them understand. And then you explain how much easier it is to modify text to look plausible. For myself, I've never yet been part of a discussion interesting enough for deniability to matter. As in I'm still young and haven't yet been making any negotiations with a potential employer in a field where it matters, or anything else with high stakes. I'm also not very extrovert, so there's not much at all of my private thoughts and matters that's even written down anywhere at all. But that's just me, and that's just today, and when the stakes go up it becomes more important with higher security. I'm always trying to apply creativity and imagine plausible edge cases. Sometimes when you look into them closer you'll even get surprised by how much more common they are than you thought. Try to think like an attacker - if I'm trying to achieve A and the current attack X is foiled, what else can be done to get closer to A? Don't dismiss Y and Z on seeming implausible. If they can work at all, they must be considered. And don't forget about simple failures. Like previously mentioned, sending to the wrong person. > Deniability is a solution looking for a problem, and so far it's not doing a > great job of finding it. The problem exists, it is a valid solution, it just doesn't show its strength because it is the other layers of security around it which is failing. Don't blame the pillars of the bridge when it is all the other parts that's falling down. Make them stronger and then you'll see the value of it. Taking it away and strengthening the others will only result in a different failure.